NRS Audit and Risk Committee (ARC) meeting minutes - 26 June 2024

Home
Publications
NRS Audit and Risk Committee (ARC) meeting minutes - 26 June 2024

Share this page

Click here to share this page on Facebook. Click here to share this page on LinkedIn. Click here to share this page on X (formerly known as Twitter).

Wednesday 26 June 2024
MICROSOFT TEAMS 10:00 – 13:00
(Private discussion 13:00-13:15)

ARC Members

Maggie Waterston (Chair) NRS Non-Executive Director
Anne Moises NRS Non-Executive Director
Tim Wright NRS Non-Executive Director

ARC Attendees

Janet Egdell NRS, Interim CEO
NRS, Director of Corporate Services & Accountable officer
NRS, Director of Digital & Delivery
NRS, Head of Cyber Security, Risk and Resilience (Item 4)
NRS, Director of Census Statistics (Item 6.1 & 6.2)
NRS, Director of Information and Records Services (until 11:40)
NRS, Deputy Director, Information and Records Services (Item 3.2)
NRS, Chief Financial Officer
Internal Auditor – Scottish Government
Digital Assurance Office lead for NRS - Scottish Government
Engagement Director for NRS – Grant Thornton
Engagement Manager – Grant Thornton
NRS, Corporate Business Assurance Manager
Corporate Business Continuity Lead
NRS, BMU Business Support Manager
NRS, Business Management (Secretariat)

Apologies

Internal Audit Manager – Scottish Government
Internal Audit Manager – Scottish Government
NRS, Corporate Governance Manager

1. Welcome, Introductions and Apologies. Declaration of Interests & Matters Arising

1.1 Maggie Waterston welcomed everyone to the meeting. Apologies were noted as listed above.

1.2 There were no declarations of interests or matters arising.

2. Meeting held on 27 February 2024

2.1 The minutes from the last meeting on 27 February 2024 were approved and would be published on the NRS website.

2.2 A review of actions was undertaken. The action tracker would be updated accordingly.

3.1 NRS Risk Dashboard

3.1.1 The Director of Corporate Services & Accountable officer introduced the NRS Risk Dashboard to the meeting and covered the following key points below.

NRS were continuing to track the top risks, including archive storage, financial sustainability, cyber resilience and one new risk identified around the roll out of the new SG Oracle Cloud HR and Finance System on 1 October 2024
NRS were continuing to improve the narrative around actions taken to further mitigate top strategic NRS risks
The risk dashboard had been updated with a fuller breakdown of any planned actions
The new dashboard had been presented to the Executive Management Board (EMB)
The new dashboard would be introduced from 1 October 2024
A risk log was being developed to capture and join up any new risks across the organisation and highlight any common themes

3.1.2 Anne Moises asked how NRS risks were being managed in relation to the upgrade of Oracle Cloud systems in October 2024. The Director of Corporate Services & Accountable officer advised NRS were managing these as three separate risks to HR change, Finance, Procurement and
Purchase to Pay and were working with SG to understand all the changes and potential impacts. The Director of Corporate Services & Accountable officer advised of the HR recruitment onboarding pause between the 31 July and 14 October 2024.

3.2 Collection audit – Task and Finish

3.2.1 The Director, Information and Records Services provided an update on the collection audit and the progress of the Task and Finish Group. The committee noted that good progress has been made and that the timeline for completion in the autumn was on track to be met.

3.3 Information governance: Dumfries & Galloway (D&G) Incident follow up

3.3.1 Janet Egdell provided an update on the D&G NHS cyber incident with the following key points below.

NHS had issued a leaflet to D&G residents around their response to the cyber incident providing a public helpline
NRS had issued a proactive press release and correspondence with a mailbox for any public enquiries
Around 50 letters were issued by NRS to individuals affected by the incident
Incident management was still ongoing for the cyber incident
NHS and NRS were moving into the recovery phase and lessons learned
A rapid review had been carried out to review NRS processes and follow up with any mitigation

3.3.2 Anne Moses asked what the recovery objectives were in response to the cyber incident. Janet Egdell advised NRS were scoping out the recovery phase objectives and had identified short-term objectives, including a review of how well mapped NRS data flows were, a review of all NRS data sharing agreements and a longer-term response of NRS NHS data storage and services. The Director of Corporate Services & Accountable officer advised that Azets were undertaking a further review of the cyber incident and would share the recovery phase project scope with NXD’s once this was finalised.

Action 03/24: To share the D&G Cyber Incident recovery phase project scope with NXDs once this was finalised. Action Owner: Director of Corporate Services & Accountable officer

3.4 Information Sharing Service level arrangements

3.4.1 The Director of Corporate Services & Accountable officer provided an update on NRS processes around data Information Sharing Service level arrangements and lessons learned from the NHS cyber incident.

NRS Procurement were responsible for Memorandum of Understanding (MOU’s), Data Processing Agreements (DPA’s) and Delegated Purchasing Authority for the organisation
NRS Procurement were reviewing governance and procurement processes, including existing DPA templates in response to the cyber incident and were updating NRS approaches to DPA’s and Development Services Agreements (DSA’s)
NRS Procurement were putting in place additional data protection cyber security clauses into DPA templates with stronger control and engagement with other organisations
NRS Procurement had developed legally compliant DPA templates which were available online to ensure NRS staff had suitable agreements in place
DPA agreements were likely to increase due to Public Service Reform
A DPA formal Data Processing Agreement (DPA) sharing agreement was in place for D&G NHS

3.5 Tim Wright asked how regularly NRS reviewed their DPA agreements, what happened if a client didn’t comply with a DPA and what due diligence was taken by NRS to validate that an organisation had requirements in place. The Director of Corporate Services & Accountable officer advised if the client didn’t comply with DPA then NRS would withdraw the data shared. The Director of Corporate Services & Accountable officer advised due diligence was carried out when preparing agreements to understand what the use of data was and that there was potential for introduction of DPA RAG assessments.

3.6 Anne Moises asked how NRS prioritised service level agreements and how often DPA’s were reviewed. The Director of Corporate Services & Accountable officer advised NRS and internal audit were reviewing the process, areas of prioritisation, and the level of resourcing required for the programme of review. The Director of Corporate Services & Accountable officer advised NRS did not have set review points in place for DPA’s but would consider introducing regular reviews of DPA’s and the internal control aspect. The Director of Corporate Services & Accountable officer advised a review would be carried out to identify what improvements could be made to build on assurances. Maggie Waterston requested this be brought to the next committee meeting.

3.7 Maggie Waterston requested that the committee be updated on the data sharing review and have sight of the updated DPA template at the August meeting. The Director of Corporate Services & Accountable officer confirmed an update would be provided including any internal audit review recommendations and any follow up around the D&G NHS cyber incident.

Action 04/24: Provide an update on the data sharing review and updated DPA template at the August meeting. Action Owner: Director of Corporate Services & Accountable officer / Chief Purchasing/Procurement Officer

4. Deep dive: Cyber Resilience with Disaster Recovery and Business Continuity

4.1 The Director of Digital & Delivery and Head of Cyber Security, Risk and Resilience introduced the paper with the following key points.

NRS continued to monitor the cyber risk and mitigate any vulnerabilities
NRS were at the leading edge of vulnerability management response rate and continued to monitor the key risk to NRS data sharing
The Cyber Security team monitored a variety of cyber intelligence sources, including the National Cyber Security Centre (NCSC) who advised that public sector organisations were at a higher risk of cyber-attacks in the run up to the election from state sponsored threat actor groups
NRS continued to hold regular meetings with staff around the importance of cyber resilience
Since last meeting NRS had secured cyber essentials + accreditation and Public Service Network (PSN) compliance
NRS had also introduced Multi Factor Authentication (MFA) into corporate systems
NRS were increasing security levels for staff with access to sensitive data
NRS were moving to cloud based native platforms as they were significantly more secure than legacy systems and infrastructure
NRS were planning tabletop simulation exercises to improve incident response and management maturity levels
Working with SG colleagues and other public sector organisations to improve cyber resilience
An end-to-end data mapping exercise would be carried out to review NRS services and business processes in response to the D&G cyber incident

4.2 Anne Moises asked if NRS were a member of NCSC Connect Share Inform Protect (CISP) platform and if NRS were engaging with the Scottish Cyber Communication Centre (SC3). The Head of Cyber Security, Risk and Resilience confirmed NRS were a CISP member and that NRS were taking part in a tabletop simulation exercises with SC3 and other organisations of the safe haven.

4.3 Anne Moises asked if NRS had access to information from the SG Security Operations Centre (SOC). The Head of Cyber Security, Risk and Resilience advised NRS were in regular contact with SG SOC who shared any emerging risks.

4.4 Tim Wright asked if NRS were monitoring emerging artificial intelligence and threat actors risks. The Head of Cyber Security, Risk and Resilience confirmed these were captured on the NRS risk register and the main threat was from AI phishing attacks. The Head of Cyber Security, Risk and Resilience advised NRS staff had received training around phishing emails and that SG were carrying out regular phishing campaigns. The Head of Cyber Security, Risk and Resilience advised NRS were continuing to work with SG colleagues to ensure information assets were secure.

4.5 The paper was noted by the Committee.

5. Update on Archive and Digital Storage Business Case

5.1 The Director of Information and Records Services introduced the paper with the following key points.

NRS were splitting up their investment proposals into two areas for Physical Archiving and Digital Archiving with a strategic outline business case (OBC) by June 2025
Specialist skill sets were required for the development of the business case
A tactical digital project was ongoing in parallel to review and refine existing NRS digital archive systems. Discovery work for this project would feed into the OBC
The additional resource requirements were being prepared for approval at the next Digital Strategy Board in July 2024

5.2 Tim Wright asked what the impact would be to NRS statutory requirements if the proposals for investment were not made. Janet Egdell advised public sector demands on archiving were under scrutiny and the top risks to NRS were legal, reputational and gaps in the historical archive. The Director of Information and Records Services advised NRS had an obligation to agree a records management plan with the Crown Office and Scottish Court Service and failure of a future records management plan would increase archive storage costs for the public sector.

5.3 Anne Moises and Tim Wright requested a meeting with The Director of Information and Records Services to discuss the Archive and Digital Storage Business Case further.

5.4 Maggie Waterston noted concerns around the progress made and suggested a full programme delivery board was required to progress the business cases. Maggie requested Archive and Digital Storage continue to be a standing agenda item for ARC.

5.5 The Chief Financial Officer recommended Archive and Digital Storage Business Case proposals were made to SG well ahead of the next budget in autumn 2025.

5.6 The SG Digital Assurance Office lead for NRS requested a meeting to discuss planning around digital assurance. The Director of Digital & Delivery advised this was on NRS Digital Project planning and would engage early on how we set this up and assure.

Action 05/24: Meeting to be arranged between Director of Information and Records Services, Anne Moises and Tim Wright. Action Owner: Director of Information and Records Services

Action 06/24: Meeting to be arranged between Director of Information and Records Services, SG Digital Assurance Office lead for NRS and The Director of Digital & Delivery. Action Owner: Director of Digital & Delivery / Director of Information and Records Services

Action 07/24: Programme delivery board to be put in place. Action Owner: Director of Information and Records Services

6.1 Update on Future of Population Statistics Business Case (FoPS)

6.1.1 The Director of Census Statistics introduced the paper with the following key points below.

• FoPS were continuing to develop the Outline Business Case (OBC), and were reviewing all future potential models and approaches to data collection, including financial costs and resourcing required

• NRS were continuing to develop the FoPS OBC and would submit this to SG by the end of June 2024

• Positive feedback had been received from Executive Steering Group on the development of the FoPS OBC

• NRS were continuing to monitor Office of National Statistics (ONS) approach to FoPS and were considering wider SG objectives

6.1.2 Tim Wright noted the wider trend of countries shifting towards using more administrative data sets to compliment Census data and noted potential negative public reaction to this, and highlighted an example of complaints raised by New Zealand citizens in relation to the gathering and misuse of 2021 New Zealand Census data.

6.2 Draft Future of Population Statistics Strategic Outline Case

6.3 The paper was noted by the Committee.

7. NRS Finance Report inc. Financial Performance & Achievement of Financial Targets

7.1 The Chief Financial Officer provided an update on the provisional outturn for NRS as at end May 2024 (period 02), with performance being assessed against forecasts that were informed by the 24/25 Budget Commissioning process, with next steps and actions to note and agree.

7.2 Members noted the 2024/25 forecast outturn position at May 2024 (Period 02), and notednext steps.

8. Draft NRS Annual Report and Accounts for 2023-2024

8.1 The Chief Financial Officer thanked members for reviewing the draft NRS Annual Report and Accounts (ARA).

8.2 The Chief Financial Officer advised the External Audit of NRS Annual Reporting and Accounts was in progress. The final draft of the Annual Report and Accounts would be shared at the next ARC meeting on 28 August 2024 for sign-off by ARC and laid in the Scottish Parliament
shortly after that meeting.

8.3 Tim Wright noted there was some duplication in the report and suggested infographics could be used in the Annual Report and Accounts. The Chief Financial Officer advised this was due to guidance that each chapter should cover the full narrative as readers only tend to review the chapters they were interested in.

8.4 Anne Moises noted Maggie Waterston was not listed as member of the Strategic Board in the report. The Chief Financial Officer confirmed this would be updated.

8.5 Maggie Waterston noted delays in public bodies receiving pensions data.

8.6 The Committee thanked The Chief Financial Officer and team for their hard work.

9.1 Internal Audit Annual Assurance Report for 2023/24

9.1 SG Internal Auditors introduced the Annual Assurance Report for 2023/24 and this was noted by the committee. The overall assurance opinion for last year was Reasonable.

9.1.1 SG Internal Auditors advised some minor improvements were required to enhance the adequacy and effectiveness of NRS procedures. There were weaknesses in the risk, governance and / or control procedures in place but not of a significant nature.

9.1.2 The Progress Report against the audit plan for 2023/24 was noted by the committee.

9.1.3 Maggie Waterston asked for further background in relation to the scoring and particularly about the transactions placed out with the scheme of delegation and the delayed signing of Delegated Letters of Authority.

9.1.4 Tim Wright noted February 2025 deadline seemed quite a long way off for NRS management responses to the internal audit. The Director of Corporate Services & Accountable officer advised that strategic financial capability and experience within NRS was varied and training was being arranged for senior staff. The Director of Corporate Services & Accountable officer advised that fixed staffing costs were the main issue for NRS and the Delegated letters ofAuthority for 2023/24 were not signed by Directors or had caveats in place as the SG Budget was
not sufficient to meet Directors needs and staff costs.

9.1.5 Anne Moises asked if there were any emerging findings in relation to the use of electronic purchasing cards (ePC). The Director of Corporate Services & Accountable officer advised NRS had reduced the amount of ePCs available and controls had been tightened up in response to the
Permanent Secretary request to reduce all non-essential spending.

9.2 Internal Audit progress reports for 2024/25 on active/follow-up audits

SG Internal Auditors advised the 2023/24 report delivered at the end of the year was reasonable.

Members noted the report.

Appendix 1 - DIAA Service Overview

9.2.1 The committee noted the overview.

DIAA Quarterly Bulletin

9.2.2 The committee noted the bulletin.

9.3 Ad hoc advisory Information Governance Audit progress

9.3.1 The committee noted progress and thanked SG Internal Auditors for their hard work in producing their reports.

10. External Audit update

10.1 Grant Thornton provided an oral update on external audit work with the following key points below.

External Audit had presented their main outputs at the last ARC meeting in February 2024
Eternal Audit would present their annual audit reports at the August ARC meeting
External Audit planning work for first 9 months of the financial year had been completed in March
External Audit had met with chair and senior management and were briefed on issues as they arose
NRS Annual Accounts and working papers were received on time for audit review in preparation for the SG target of signing off the Annual accounts at the August meeting
Accounts review comments had been provided
The Grant Thornton external audit on NRS Annual Report and Accounts would conclude mid-July 2024
The wider scope external audit was underway and would continue to monitor any updates that were relevant to the report

11. Committee Reports - To Note and Questions

NRS Governance Report

11.1 The Committee noted the report.

NRS Portfolio report

11.2 The Committee noted the report.

NRS Assurance update

11.3 The Committee noted the report.

NRS Audit Recommendations Status Report

11.4 The Committee noted the report.

11.4.1 Tim Wright requested further context in relation to the significant increase in the number of Key Performance Indicators (KPI’s) from 15 to 33. The Corporate Business Assurance Manager advised NRS were collecting additional KPIs across more areas of work to provide colleagues with more clarity around NRS operations.

12.1 Draft Committee Annual Report

12.1 The Committee noted the draft annual report.

12. The final Annual Report would be shared with all attendees for comment in advance of the next meeting.

Action A08/24: BMU to circulate the final Annual Report to all attendees before the September ARC meeting. Action Owner: BMU

12.2 Self-Assessment Checklist

12.3 Checklist of Improvement Actions

12.3.1 The Director of Corporate Services & Accountable officer noted the NXD’s request for an additional ARC NXD would be considered.

13. To Note: ARC Forward Look for year ahead

13.1 The Forward Look was noted by all Committee members.

13.2 The Director of Digital & Delivery advised the draft Digital Strategy would be shared with NXD’s once it had completed the internal review process.

13.3 Maggie Waterston and Tim Wright suggested Procurement controls and the new Oracle Cloud system be discussed at a future ARC meeting. Maggie Waterston suggested these topics were added to the forward look for 2025.

Action: 09/24: Delegation and Procurement controls, new Oracle Cloud system to be added to the ARC forward look for 2025. Action Owner: BMU

14. AOB & Date of Next Meeting

14.1 The date of the next meeting was noted as 28 August 2024 and

End